6 July 2007

There's a fascinating new
IEEE Spectrum article
by Vassilis Prevelakis and Diomidis Spinellis
about the Greek cellphone tapping incident. In this incident,
someone — just who remains unknown — inserted
some code in some phone switches to abuse the built-in wiretap
facilities to eavesdrop on calls. Over 100 people's lines were monitored,
up to and including the prime minister.

There are two important lessons to be drawn from this incident. First,
logging and process are very important. Everyone involved in
system design or operation should pay attention to that portion of
the article. I say "everyone" and not "all security people" because
the logs in question are not necessarily intended for security
purposes.